Annotation of wikisrc/tutorials/how_to_create_an_l2tp_ipsec_tunnel_between_an_android_or_iphone_or_ios_device_to_netbsd.mdwn, revision 1.2

1.2     ! wiki        1: [[!meta title="how to create an L2TP ipsec tunnel between an Android or iPhone or iOS device to NetBSD"]]
        !             2: 
1.1       wiki        3: You need NetBSD-current later than 2013-07-01 with a kernel with "options IPSEC". Install the pkgsrc package net/xl2tpd.
                      4: 
                      5: ## Network Topology
                      6: 
                      7:                                       -------------
                      8:       192.168.2.4/24  ---| NetBSD Host |--- 1.2.3.4
                      9:        [internal interface]   -------------   [external interface]
                     10: 
                     11: We are going to use 192.168.1.80 as the local endpoint of each ppp interface and 192.168.2.80-89
                     12: for up to 9 simultaneous tunnels. We will provide DNS from 192.168.2.4.
                     13: 
                     14: ## Configuration files
                     15: 
                     16: All the configuration files except the firewall rules are provided as part of the xl2tp package, copy them in the right places. in ipsec.conf change @LOCAL_ADDRESS@ to your external address 1.2.3.4. Set the key in /etc/racoon/psk.txt (this will be your secret). Set the username and passwd in /etc/ppp/chap-secrets. Enable ipsec, racoon and xl2tpd in rc.conf. You'll need to include all the ppp interfaces in your firewall config file to allow traffic to and from them. I use npf, and I've automated this using /etc/ppp/ip-up file to generate my npf.conf file dynamically from the list of active interfaces and use npf reload to reload the rules. The npf file I am using is in /usr/share/examples/npf/l2tp_gw-npf.conf.
                     17: 
                     18: To debug problems you can use tcpdump on the external, internal, ppp interfaces, and npflog device. 
                     19: 
                     20: ## Sample messages output.
                     21: 
                     22: This is aggressive mode (iOS); the iPhone uses main mode.
                     23: 
                     24:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 
                     25:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 
                     26:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 
                     27:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 
                     28:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 
                     29:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
                     30:      racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02  
                     31:      racoon: INFO: received Vendor ID: DPD 
                     32:      racoon: [5.6.7.8] INFO: Selected NAT-T version: RFC 3947 
                     33:      racoon: INFO: Adding remote and local NAT-D payloads. 
                     34:      racoon: [5.6.7.8] INFO: Hashing 5.6.7.8[500] with algo #2  
                     35:      racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with algo #2  
                     36:      racoon: INFO: NAT-T: ports changed to: 5.6.7.8[4500]<->1.2.3.4[4500] 
                     37:      racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[4500] with algo #2  
                     38:      racoon: INFO: NAT-D payload #0 verified 
                     39:      racoon: [5.6.7.8] INFO: Hashing 5.6.7.8[4500] with algo #2  
                     40:      racoon: INFO: NAT-D payload #1 doesn't match 
                     41:      racoon: INFO: NAT detected: PEER 
                     42:      racoon: INFO: ISAKMP-SA established 1.2.3.4[4500]-5.6.7.8[4500] spi:4f47a16084102305:a47415e957a56da4 
                     43:      racoon: [5.6.7.8] INFO: received INITIAL-CONTACT 
                     44:      racoon: INFO: purging spi=249311193. 
                     45:      racoon: INFO: respond new phase 2 negotiation: 1.2.3.4[4500]<=>5.6.7.8[4500] 
                     46:      racoon: INFO: Update the generated policy : 192.168.1.103/32[55576] 1.2.3.4/32[1701] proto=udp dir=in 
                     47:      racoon: INFO: Adjusting my encmode UDP-Transport->Transport 
                     48:      racoon: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2) 
                     49:      racoon: INFO: IPsec-SA established: ESP/Transport 1.2.3.4[500]->5.6.7.8[500] spi=258257246(0xf64b15e) 
                     50:      racoon: INFO: IPsec-SA established: ESP/Transport 1.2.3.4[500]->5.6.7.8[500] spi=236082834(0xe125692) 
                     51:      xl2tpd[454]: Connection established to 5.6.7.8, 55576.  Local: 34593, Remote: 6 (ref=0/0).  LNS session is 'default' 
                     52:      xl2tpd[454]: set queue size for /dev/pts/0 to 32768 
                     53:      xl2tpd[454]: Call established with 5.6.7.8, Local: 12914, Remote: 28785, Serial: 1 
                     54:      pppd[26068]: pppd 2.4.4 started by root, uid 0
                     55:      pppd[26068]: set_up_tty: Changed queue size of 12 from 1024 to 32768
                     56:      pppd[26068]: tty_establish_ppp: Changed queue size of 12 from 1024 to 32768
                     57:      pppd[26068]: Using interface ppp0
                     58:      pppd[26068]: Connect: ppp0 <--> /dev/pts/0
                     59:      racoon: INFO: 192.168.2.80[500] used for NAT-T 
                     60:      pppd[26068]: found interface sk0 for proxy arp
                     61:      racoon: INFO: 192.168.2.80[500] used as isakmp port (fd=22) 
                     62:      pppd[26068]: local  IP address 192.168.2.80
                     63:      racoon: INFO: 192.168.2.80[4500] used for NAT-T 
                     64:      pppd[26068]: remote IP address 192.168.2.81
                     65:      racoon: INFO: 192.168.2.80[4500] used as isakmp port (fd=23) 
                     66:      racoon: INFO: fe80:6::20d:88ff:fe6e:5b1c[500] used as isakmp port (fd=24) 
                     67:      racoon: INFO: fe80:6::20d:88ff:fe6e:5b1c[4500] used as isakmp port (fd=25) 
                     68:      racoon: INFO: deleting a generated policy. 
                     69:      racoon: INFO: purged IPsec-SA proto_id=ESP spi=236082834. 
                     70:      racoon: INFO: ISAKMP-SA expired 1.2.3.4[4500]-5.6.7.8[4500] spi:4f47a16084102305:a47415e957a56da4 
                     71:      racoon: INFO: ISAKMP-SA deleted 1.2.3.4[4500]-5.6.7.8[4500] spi:4f47a16084102305:a47415e957a56da4 
                     72:      xl2tpd[454]: control_finish: Connection closed to 5.6.7.8, serial 1 () 
                     73:      pppd[26068]: LCP terminated by peer (User request)
                     74:      xl2tpd[454]: control_finish: Connection closed to 5.6.7.8, port 55576 (), Local: 34593, Remote: 6 
                     75:      pppd[26068]: Connect time 1.3 minutes.
                     76:      pppd[26068]: Sent 1723454 bytes, received 389800 bytes.
                     77:      pppd[26068]: Terminating on signal 15
                     78:      pppd[26068]: Modem hangup
                     79:      pppd[26068]: Connection terminated.
                     80:      pppd[26068]: Exit.
                     81: 

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb